Basically I'm trying to remount the root filesystem read-only (in a mount namespace nested in an LXC container). The setup is a few bind mounts around the place ending with:

mount --rbind / /
mount -o remount,ro /

I tried every combination of:

mount options=(ro, remount, bind) / -> /,

I could think of. Adding the rule audit mount, shows all the other mounts I do, but not the ones operating on /. The closest I can get is mount -> /, which IMHO is too loose. Even mount / -> /, denies the remount (while the first bind mount is allowed).

Actually, that is exactly what I want to do. All the directories that need to be writable (surprisingly few, btw) are on another filesystem. The only issue is I cannot convince AppArmor to allow this specific operation.
–
Grzegorz NosekFeb 26 '13 at 18:13

Yeah, I can either disable AppArmor, or allow mounting anything on /, as I mentioned in the question. Still, that doesn't help me if I actually want to benefit from AppArmor.
–
Grzegorz NosekFeb 27 '13 at 18:02